CVE-2012-6610

Vulnerability

An OS command injection vulnerability exists in the Polycom Web Management Interface of HDX Video End Points before version 3.0.4 and UC APL before version 2.7.1.J [1]. The ping command feature improperly sanitizes user-supplied input, allowing an authenticated remote attacker to inject arbitrary commands by appending a semicolon (;) to the intended target parameter [1]. The injected commands are executed with the privileges of the web application on the underlying embedded Linux system [1]. Affected devices include the Polycom G3/HDX 8000 HD series running Durango 2.6.0 Release build #4740, though other versions and models may also be vulnerable [1].

Exploitation

To exploit this vulnerability, an attacker must have valid credentials for the Web Management Interface [1]. The attacker initiates a ping request via the web interface and appends a semicolon followed by the desired operating system command (for example, ; command) in the ping target field [1]. No user interaction beyond the authenticated session is required; the command is executed immediately upon submission [1]. The attack does not require any special network position beyond reachability of the management interface [1].

Impact

Successful exploitation allows the attacker to execute arbitrary operating system commands on the affected Polycom device [1]. This can lead to full compromise of the device, including unauthorized access to confidential data, modification of system configurations, denials of service, and use of the device as a pivot point within the network [1]. The commands execute with the privileges of the web server process, which typically runs as root or a privileged user on the embedded system [1].

Mitigation

Polycom has released software updates to address this vulnerability: HDX Video End Points should be upgraded to version 3.0.4 or later, and UC APL should be upgraded to version 2.7.1.J or later [1]. If immediate patching is not possible, administrators should restrict access to the Web Management Interface to trusted networks only, and consider using network segmentation and firewall rules to limit exposure [1]. The vendor advisory from Tempest Security Intelligence lists timeline details and was published in 2012 [1]. No known exploitation in the wild was reported in the references.